Alureon
Encyclopedia
Alureon is a trojan
and bootkit which is designed, amongst other things, to steal data by intercepting a system's network traffic and searching it for usernames, passwords and credit card data.. Following a series of customer complaints, Microsoft
determined that Alureon was the cause of a series of BSoD
problems on some 32-bit Microsoft Windows
systems which were triggered when some invalid assumptions made by the malware author(s) were broken by Patch Tuesday
update MS10-015.
According to research by Microsoft, Alureon was the second most active botnet
in the second quarter of 2010.
software, and has been seen bundled with the rogue security software Security Essentials 2010. When the dropper is executed, it first hijacks the print spooler service (spoolsv.exe) to write a filesystem at the end of the disk; it then infects low level system drivers such as those responsible for PATA operations (atapi.sys) to implement its rootkit. While Alureon has also been known to redirect search engines to commit click fraud
, Google has taken steps to mitigate that for their users by detecting it and warning the user. Once installed, it blocks access to Windows Update
and attempts to disable some anti-virus products.
The malware drew considerable public attention when a software bug
in its code caused some 32-bit Windows systems to crash upon installation of security update MS10-015. The malware was using a hard-coded memory address in the kernel that changed after installation of the hotfix. Microsoft subsequently modified the hotfix to prevent installation if an Alureon infection is present, while the malware author also fixed the bug in his code.
In November 2010, the press reported that the rootkit has evolved to the point that it is able to bypass the mandatory kernel-mode driver
signing
requirement of 64-bit editions of Windows 7 by subverting the master boot record
, something that also makes it particularly resistant on all systems to detection and removal by anti-virus software.
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
and bootkit which is designed, amongst other things, to steal data by intercepting a system's network traffic and searching it for usernames, passwords and credit card data.. Following a series of customer complaints, Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
determined that Alureon was the cause of a series of BSoD
Blue Screen of Death
To forse a BSOD Open regedit.exe,Then search: HKLM\SYSTEM\CurrentControlSet\services\i8042prt\ParametersThen make a new DWORD called "CrashOnCtrlScroll" And set the value to 1....
problems on some 32-bit Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
systems which were triggered when some invalid assumptions made by the malware author(s) were broken by Patch Tuesday
Patch Tuesday
Patch Tuesday is usually the second Tuesday of each month, on which Microsoft releases security patches.Starting with Windows 98, Microsoft included a "Windows Update" system that would check for patches to Windows and its components, which Microsoft would release intermittently...
update MS10-015.
According to research by Microsoft, Alureon was the second most active botnet
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
in the second quarter of 2010.
Description
The Alureon rootkit was first seen in 2006. PCs usually get infected by manually downloading and installing TrojanTrojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
software, and has been seen bundled with the rogue security software Security Essentials 2010. When the dropper is executed, it first hijacks the print spooler service (spoolsv.exe) to write a filesystem at the end of the disk; it then infects low level system drivers such as those responsible for PATA operations (atapi.sys) to implement its rootkit. While Alureon has also been known to redirect search engines to commit click fraud
Click fraud
Click fraud is a type of Internet crime that occurs in pay per click online advertising when a person, automated script or computer program imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the target...
, Google has taken steps to mitigate that for their users by detecting it and warning the user. Once installed, it blocks access to Windows Update
Windows Update
Windows Update is a service provided by Microsoft that provides updates for the Microsoft Windows operating system and its installed components, including Internet Explorer...
and attempts to disable some anti-virus products.
The malware drew considerable public attention when a software bug
Software bug
A software bug is the common term used to describe an error, flaw, mistake, failure, or fault in a computer program or system that produces an incorrect or unexpected result, or causes it to behave in unintended ways. Most bugs arise from mistakes and errors made by people in either a program's...
in its code caused some 32-bit Windows systems to crash upon installation of security update MS10-015. The malware was using a hard-coded memory address in the kernel that changed after installation of the hotfix. Microsoft subsequently modified the hotfix to prevent installation if an Alureon infection is present, while the malware author also fixed the bug in his code.
In November 2010, the press reported that the rootkit has evolved to the point that it is able to bypass the mandatory kernel-mode driver
Device driver
In computing, a device driver or software driver is a computer program allowing higher-level computer programs to interact with a hardware device....
signing
Code signing
Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash....
requirement of 64-bit editions of Windows 7 by subverting the master boot record
Master boot record
A master boot record is a type of boot sector popularized by the IBM Personal Computer. It consists of a sequence of 512 bytes located at the first sector of a data storage device such as a hard disk...
, something that also makes it particularly resistant on all systems to detection and removal by anti-virus software.
Removal
While the rootkit is generally able to hide itself very effectively, circumstancial evidence of the infection may be found by examining network traffic and outbound connections (Netstat). The "FixMbr" command of the Windows Recovery Console and manual replacement of atapi.sys may be required before some anti-virus tools are able to find and clean an infection.External links
- TDSSKiller - Removal tool by Kaspersky
- Virus:Win32/Alureon.A at Microsoft Malware Protection Centre
- Backdoor.Tidserv at Symantec
- Norman TDSS Remover
- TDSS Removal